For the month of July, we’ve seen the increasing popularity of iPhone since it debuted last June, the United States 231st celebration of its independence and the release of the movie adaptation of Harry Potter and the Order of the Phoenix. Unfortunately, a lot of threats that have emerged in July took advantage of these events. Let’s have a recap on what happened last month.
Notable Malware:
TROJ_AYFONE.A.
A Trojan capitalizing on the iPhone’s popularity, this malware installs itself as a BHO on a system and hooks itself on IE such that it is able to open a popup window whenever a user visits the popular Web sites www.yahoo.com and www.google.com. It is known to employ a phishing technique by redirecting the user’s browser to a fake iPhone purchase site.
WORM_HAIRY.A. This worm capitalized on the popularity of Harry Potter and some related events that happened in July, which included the premiere of the new movie in the Harry Potter series and the launching of the final book, Harry Potter and the Deathly Hallows. WORM_HAIRY.A has been observed to display messages with anti-Harry Potter sentiments.
WORM_NUWAR.FU and WORM_NUWAR.GT.
Two new variants of WORM_NUWAR took advantage of the July 4 holidays. It spread through email messages as ecard.exe, posing as a greeting card/postcard that contained Fourth of July greetings.
BKDR_FONAMEBOT.A. This is a proof of concept backdoor that made use of DNS protocol instead of IRC channels to communicate with its bot masters. Compromised DNS servers can be utilized to cover the tracks of remote malicious users.
TSPY_KOLLAH.F. This is the latest ransomware that has been discovered to date. TSPY_KOLLAH.F encrypts the user’s data files (Office documents, Excel spreadsheets, Power Point presentations, etc.) with an RSA-4096 encrpytion tool. Large companies have been reported to affected by this ransomware, mostly in the United States. A ransom note is dropped in the affected system claiming that unless the victim pays $300 for the decryptor, the perpetrators will share the encrypted data. Sounds like something from a hacker movie, don’t you think?
Web Threats:
TROJ_BANLOAD.CGL. . Malware authors wasted no time in taking advantage of the news of a Brazilian plane accident. This Trojan arrived in a spammed email with a link to a “video” of the accident. Of course, the link is actually a malicious site that downloads a copy of a spyware on the user’s system.
VVINDOWSUPDATE.COM. This isn’t an actual web threat yet, but could become one in the future. It is simply a domain registered as VVINDOWSUPDATE.COM, with a double V instead of a W. The use of the double V is intentional; it was possibly meant to trick users into thinking that this domain is the actual update site for Windows. Although there are no pages on the site yet, it’s highly possible that VVINDOWSUPDATE.COM can be used for future web threat attacks.
Vulnerabilities:
IPhone and Safari. A vulnerability was found in the Safari browser bundled with iPhone. When exploited, this vulnerability allows remote user to execute code on the device. Other researchers also determined the passwords that were used for application root and mobile access. Because of the gaining popularity of their products, Apple is fast becoming a target for exploits and bugs.
IE and Firefox Tandem. A cross browser vulnerability exists in Internet Explorer and Firefox. This means that IE can be employed to run possibly malicious codes in Firefox 2.0. The culprit responsible for this are the vulnerable parameters that are passed between browsers. However, no actual malware exploiting vulnerability has been discovered yet.
Trillian Instant Messenger. Recently, a couple of vulnerabilities were discovered in this IM application regarding how it processed certain URIs. The first vulnerability can be exploited to automatically execute a potentially malicious file on the user’s system while the second one can be used to cause buffer overflows
In addition, here’s a glimpse of the prevalent malware that we’ve captured for July. These are the malware families with more than 100 variants.
So that’s it for the month of July. Let’s see what August has for us in next month’s Malware Roundup.
